class UsersController < ApplicationController
  
  # ony logged in users can see any of these
  # actions, just to be sure.
  before_filter :authorize, :except => :login
  
  # GETs should be safe (see http://www.w3.org/2001/tag/doc/whenToUseGet.html)
  verify :method => :post, :only => [ :destroy, :create, :update ],
         :redirect_to => { :action => :list }
         
  def login
    session[:user_id] = nil;
    if request.post?
      user = User.authenticate(params[:name], params[:clearpassword])
      if user
        session[:user_id] = user.id;
        redirect_to :controller => "home", :action => "index"
      else
        flash[:notice] = "Invalid user/password combination"
      end
    end
  end
  
end
